Lab 10: Set-AZKeyVaultAccessPolicy fails due to Az.KeyVault 4.10.1 module bug
Closed this issue · 2 comments
- Module 03: Secure Data and Applications
- Lab 10: Key Vault (Implementing Secure Data by setting up Always Encrypted)
- Exercise 3: Configure an Azure SQL database and a data-driven application
- Task 2: Create a policy allowing the application access to the Key Vault
- Step 5
The command quoted below at the above-referenced step and following source location fails with the following error message.
Set-AZKeyVaultAccessPolicy -VaultName $kvName -ResourceGroupName AZ500LAB10 -ServicePrincipalName $applicationId -PermissionsToKeys get,wrapKey,unwrapKey,sign,verify,list
Set-AZKeyVaultAccessPolicy: The request content has one or more ambiguous paths: 'properties.networkAcls.ipRules' required for policy evaluation.
This is the result of a bug in the Az.KeyVault
module version 4.10.1, documented at the below issue page:
Per the last comment by contributor BethanyZhou, Az.KeyVault
4.10.2 fixes the issue and is available via PSGallery. The next version of the Az
module (following current version 10.2.0) will likely reference 4.10.2 or later, but there is "no plan to release a new Az for a sub-module's hot fix". Cloud Shell provides the current version 10.2.0 of Az
at this time, and therefore the 4.10.1 version of Az.KeyVault
.
The below command was also provided by the same contributor to update the Az.KeyVault
module to the latest available version. Running this command prior to the above-referenced Step 5 command prevented the reported issue in our testing.
Install-Module Az.KeyVault -Repository PSGallery -Force -AllowClobber
Addition of the above command or an equivalent to the instructions prior to the existing Step 5 Set-AZKeyVaultAccessPolicy
command should resolve this issue. This addition likely would be removed upon the next Az
release.
Important Note
The following step 5 serves as an interim procedure until the next Az version is released.
5. In the PowerShell session within the Cloud Shell pane, run the following to update the Az.KeyVault module to the latest available version.
Install-Module Az.KeyVault -Repository PSGallery -Force -AllowClobber
Something missing from the initial report is that the Cloud Shell session must be closed and reopened after running the Install-Module
command, otherwise Az.KeyVault
4.10.1 will still be loaded and the Set-AZKeyVaultAccessPolicy
command will still fail. There may also be a PowerShell command which can successfully reload the new version of the module without a relaunch, but I wasn't able to discover one in attempts so far.
If an instruction to relaunch the Cloud Shell session can be placed after the Install-Module
command, that should allow this workaround to be effective. The Install-Module
command may need to be moved from its current location to avoid clearing the previously set PowerShell variables specified in the task.